Peter Steinberger
6f7d31c426
fix(security): harden plugin/hook npm installs
2026-02-14 14:07:14 +01:00
Peter Steinberger
d69b32a073
docs(changelog): clarify hooks transform dir restriction
2026-02-14 14:02:16 +01:00
Peter Steinberger
d73b48b32c
fix(ts): map plugin-sdk subpaths
2026-02-14 13:01:02 +00:00
Peter Steinberger
ec399aaddf
perf(test): parallelize unit-isolated
2026-02-14 13:01:02 +00:00
Peter Steinberger
18e8bd68c5
fix(security): block hook manifest path escapes
2026-02-14 14:00:37 +01:00
Peter Steinberger
3bbd29bef9
perf(gateway): cache session list transcript fields
2026-02-14 12:52:51 +00:00
Peter Steinberger
a0361b8ba9
fix(security): restrict hook transform module loading
2026-02-14 13:46:09 +01:00
Peter Steinberger
6543ce717c
perf(test): avoid plugin-sdk barrel imports
2026-02-14 12:42:19 +00:00
Peter Steinberger
1ba266a8e8
refactor: split minimax-cn provider
2026-02-14 13:37:47 +01:00
Peter Steinberger
bf080c2338
Merge remote-tracking branch 'origin/main'
2026-02-14 13:36:18 +01:00
Tak Hoffman
274da72c38
Revert "fix: don't auto-create HEARTBEAT.md on workspace init (openclaw#12027) thanks @shadril238" ( #16183 )
...
This reverts commit 386bb0c618
2026-02-14 06:33:14 -06:00
Peter Steinberger
83248f7603
Merge remote-tracking branch 'origin/main'
2026-02-14 13:30:22 +01:00
Peter Steinberger
af50b914a4
refactor(browser): centralize http auth
2026-02-14 13:30:11 +01:00
Peter Steinberger
a2b45e1c13
fix(gateway): relax http tool deny typing
2026-02-14 13:30:05 +01:00
Aldo
7b39543e8d
fix(reply): honour explicit [[reply_to_*]] tags when replyToMode is off ( #16174 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 778fc2559a17973757+aldoeliacim@users.noreply.github.com >
Co-authored-by: steipete <58493+steipete@users.noreply.github.com >
Reviewed-by: @steipete
2026-02-14 13:29:42 +01:00
Peter Steinberger
0af76f5f0e
refactor(gateway): centralize node.invoke param sanitization
2026-02-14 13:27:45 +01:00
Peter Steinberger
c15946274e
fix(gateway): allowlist system.run params
2026-02-14 13:27:45 +01:00
Peter Steinberger
a7af646fdf
fix(gateway): bind approval ids to device identity
2026-02-14 13:27:45 +01:00
Peter Steinberger
318379cdba
fix(gateway): bind system.run approvals to exec approvals
2026-02-14 13:27:45 +01:00
Peter Steinberger
233483d2b9
refactor(security): centralize dangerous tool lists
2026-02-14 13:27:05 +01:00
Peter Steinberger
0cfea46293
fix: wire minimax-api-key-cn onboarding ( #15191 ) (thanks @liuy)
2026-02-14 13:25:54 +01:00
Liu Yuan
9bb099736b
feat: add minimax-api-key-cn option for China API endpoint
...
- Add 'minimax-api-key-cn' auth choice for Chinese users
- Reuse existing --minimax-api-key CLI option
- Use MINIMAX_CN_API_BASE_URL (https://api.minimaxi.com/anthropic )
- Similar to how moonshot supports moonshot-api-key-cn
Tested: build ✅ , check ✅ , test ✅
2026-02-14 13:25:54 +01:00
Peter Steinberger
cd84885a4a
test(browser): cover bridge auth registry fallback
2026-02-14 13:23:24 +01:00
Peter Steinberger
586176730c
perf(gateway): optimize sessions/ws/routing
2026-02-14 12:21:44 +00:00
Peter Steinberger
c90b3e4d5e
perf(cli): speed up startup
2026-02-14 12:21:44 +00:00
Peter Steinberger
a7a08b6650
test(gateway): cover tools allow/deny precedence
2026-02-14 13:18:49 +01:00
Peter Steinberger
153a7644ea
fix(acp): tighten safe kind inference
2026-02-14 13:18:49 +01:00
Peter Steinberger
6dd6bce997
fix(security): enforce sandbox bridge auth
2026-02-14 13:17:41 +01:00
Peter Steinberger
eb4215d570
perf(test): speed up Vitest bootstrap
2026-02-14 12:13:27 +00:00
Mariano Belinky
626a225c08
docs: fix merge-pr comment variable expansion
2026-02-14 12:07:00 +00:00
Nicholas
f8ba8f7699
fix(docs): update outdated hooks documentation URLs ( #16165 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 8ed13fb02f188132635+nicholascyh@users.noreply.github.com >
Co-authored-by: steipete <58493+steipete@users.noreply.github.com >
Reviewed-by: @steipete
2026-02-14 13:05:37 +01:00
Mariano
01d2ad2050
docs: harden maintainer and advisory workflow ( #16173 )
2026-02-14 11:59:19 +00:00
Peter Steinberger
79e78cff3b
docs(changelog): thank reporter for ACP hardening
2026-02-14 12:54:47 +01:00
Peter Steinberger
4711a943e3
fix(browser): authenticate sandbox browser bridge server
2026-02-14 12:54:16 +01:00
Peter Steinberger
bb1c3dfe10
fix(acp): prompt for non-read/search permissions
2026-02-14 12:53:27 +01:00
Peter Steinberger
9e24eee52c
docs(changelog): note audit warning for gateway tools override
2026-02-14 12:48:48 +01:00
Peter Steinberger
539689a2f2
feat(security): warn when gateway.tools.allow re-enables dangerous HTTP tools
2026-02-14 12:48:02 +01:00
Peter Steinberger
fba19fe942
docs: link trusted-proxy auth from gateway docs ( #16172 )
2026-02-14 12:44:25 +01:00
Peter Steinberger
3b56a6252b
chore!: remove moltbot legacy state/config support
2026-02-14 12:40:47 +01:00
Peter Steinberger
e21a7aad54
docs: recommend loopback-only gateway bind
2026-02-14 12:36:32 +01:00
Nick Taylor
1fb52b4d7b
feat(gateway): add trusted-proxy auth mode ( #15940 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 279d4b304f833231+nickytonline@users.noreply.github.com >
Co-authored-by: steipete <58493+steipete@users.noreply.github.com >
Reviewed-by: @steipete
2026-02-14 12:32:17 +01:00
Artale
3a330e681b
fix(feishu): remove typing indicator on NO_REPLY cleanup (openclaw#15508) thanks @arosstale
...
Verified:
- pnpm build
- pnpm check
- pnpm test
Co-authored-by: arosstale <117890364+arosstale@users.noreply.github.com >
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com >
2026-02-14 05:24:27 -06:00
Peter Steinberger
6182d3ef85
test: increase live-model retry token budget for reasoning-first providers
2026-02-14 12:23:51 +01:00
Pejman Pour-Moezzi
9475791d98
fix: update remaining replyToMode "first" defaults to "off"
...
- src/channels/dock.ts: core channel dock fallback
- src/auto-reply/reply/reply-routing.test.ts: test expectation
- docs/zh-CN/channels/telegram.md: Chinese docs reference
Comprehensive grep confirms no remaining Telegram-specific "first"
defaults after this commit.
2026-02-13 23:31:17 -08:00
Pejman Pour-Moezzi
c17a109daa
fix: align extension plugin and docs with new replyToMode default
...
Update the Telegram extension channel plugin fallback and documentation
to reflect the new "off" default, as flagged by Greptile review.
2026-02-13 23:31:17 -08:00
Pejman Pour-Moezzi
ad96c126ed
fix(telegram): change default replyToMode from "first" to "off"
...
In 2026.2.13, the combination of implicit reply threading (#14976 ) and
the existing Telegram default replyToMode="first" causes every bot
response in DMs to be sent as a native Telegram reply (quoted message
bubble), even for simple exchanges like "Hi" → "Hey".
This is a UX regression: prior to 2026.2.13, reply threading was less
consistent so the "first" default rarely produced visible quote bubbles
in DMs. Now that implicit threading works reliably, the default
effectively means every first message in a response gets quoted —
which feels noisy and unexpected in 1:1 conversations.
Changing the default to "off" restores the pre-2026.2.13 DM experience.
Users who want reply threading can still opt in via config:
channels.telegram.replyToMode: "first" | "all"
Tested by toggling replyToMode on a live 2026.2.13 instance:
- replyToMode="first" → every response quotes the user message
- replyToMode="off" → clean responses without quote bubbles
No test changes needed: existing tests explicitly set replyToMode
rather than relying on the default.
2026-02-13 23:31:17 -08:00
Vignesh Natarajan
4c79a63eb8
fix: default QMD search mode ( #16047 ) (thanks @togotago)
2026-02-13 23:14:34 -08:00
vignesh07
e38ed4f640
fix(memory): default qmd searchMode to search + scope search/vsearch to collections
2026-02-13 23:14:34 -08:00
Peter Steinberger
a50638eead
perf(test): disable vector index in OpenAI batch tests
2026-02-14 05:25:40 +00:00
Peter Steinberger
0e5e72edb4
perf(test): shrink memory embedding batch fixtures
2026-02-14 05:25:40 +00:00
